CVE-2020-25219

NameCVE-2020-25219
Descriptionurl::recvline in url.cpp in libproxy 0.4.x through 0.4.15 allows a remote HTTP server to trigger uncontrolled recursion via a response composed of an infinite stream that lacks a newline character. This leads to stack exhaustion.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2372-1
NVD severitymedium
Debian Bugs971394

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libproxy (PTS)stretch0.4.14-2vulnerable
stretch (security)0.4.14-2+deb9u1fixed
buster0.4.15-5vulnerable
bullseye0.4.15-13vulnerable
sid0.4.15-14vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libproxysourcestretch0.4.14-2+deb9u1DLA-2372-1
libproxysource(unstable)(unfixed)971394

Notes

[buster] - libproxy <no-dsa> (Minor issue)
https://github.com/libproxy/libproxy/issues/134
https://github.com/libproxy/libproxy/commit/836c10b60c65e947ff1e10eb02fbcc676d909ffa

Search for package or bug name: Reporting problems